The Cost Bounty

A solid bug bounty is one of the highest return on investment components of any information security program.

Bug bounty programs allow external researchers to responsibly disclose previously undetected security vulnerabilities on a company’s public infrastructure in exchange for compensation. Most companies use a third party broker to handle logistics such as registering external “researchers” (yes, that is the industry standard term for white hat hackers), validating the quality of reported bugs, and facilitating the payouts. Some companies have an “employees only” bug bounty program which encourages internal employees to discover and report vulnerabilities in exchange for a monetary bonus, gift or symbolic “pat on the back”.

Bug bounties are extremely valuable for two main reasons.

Firstly, they provide the opportunity for thousands of expert eyes to inspect a component with which internal engineers are likely less familiar with. Further, whereas an internal security team may be pressured to complete an assessment within set timelines (i.e. prior to a major release), bug bounty participants are not influenced by the same business factors. Plus, researchers are always skilled in the latest techniques and tools — often authoring their own.

Secondly, bug bounties are a cost effective way to discover security vulnerabilities before they are published or exploited by “the bad guys”. Don’t get me wrong, companies have had huge bug bounty payouts in 2020. But in the end, they benefit greatly from awarding the costly bounties and remediating the issues rather than dealing with the financial loss that could come with a successful cyber attack or incurring penalties from a regulator.

As I complete a graduate course on IT Finance, I couldn’t help but wonder why more companies don’t expand the bug bounty model to support cost reduction within their technology organizations. Finance teams procure, review, approve and facilitate payments for technology teams - but how many can understand how to consolidate licensing costs, optimize a data store, or re-allocate servers without affecting productivity of engineers? On the other hand, engineers spend their day focused on building a solid product and performance optimization, but rarely have any incentive to find ways to “trim the fat” on IT spend. An engineer’s KPIs are focused on delivering.

The suggestion: Empower employees across an organization to research, report and implement ways to reduce IT cost inefficiency within the company. If you fix it (or show someone else how to), you get a monetary reward commensurate with the overall annual savings to the organization.

A company’s engineers are the ones who are best suited to comment on the tools, technologies and processes. By leveraging the expertise of the people who are hands-on, management can get a better idea of how to save on cost and improve the bottom line.

Some practical examples:

• Database administrator for a product notices that another team’s data model stores large images for each product and is consuming more storage than required.
• Security engineer notes that the QA team is using the paid version of a testing tool, but nobody on the team is taking advantage of the features requiring the more expensive license.
• An application developer sees that the security standard requires using a rather expensive AMI for their development project. A new version has been released subsequent to that policy which is cheaper and should meet the same standard.

Implementing a program like this could be tricky. It would be tightly scoped to ensure there is no unhealthy competition between departments and that employees do not cross professional boundaries. Further, in order to keep departments commercially focused on their assigned role, nobody should be rewarded for “cost bounty” submissions within their team’s remit (they should just do it as part of the job). Submissions should be completed outside standard work hours only to avoid people shifting from their core work. Additionally, I’d recommend disallowing any submissions which eliminate someone’s job. The purpose must always remain to drive down IT costs within an organization.

I’m not exactly sure how the bounties would be calculated, but I’d venture that rewards should be a percentage of first year and second year savings. Pointing out an efficiency would earn a smaller percentage than architecting the solution. Building, deploying and handing off the solution would earn the most.

At the end of the day, all businesses want to save on unnecessary cost to support their bottom line. Do you think a model like this is possible? Have you seen it implemented anywhere?